Bug#315120: Re: apt-spy: segfault with updated mirror list

[Masami Ichikawa]

Hi.

I could reproduce this bug.(using sid)

I rebuild apt-spy, without dh_string.

It's log.

[EMAIL PROTECTED]:/home/masami]$ dpkg -l | grep apt-spy
ii  apt-spy                                      3.1-13
writes a sources.list file based on bandwidth tests
[EMAIL PROTECTED]:/home/masami/hoge/apt-spy-3.1]$ sudo apt-spy update
Updating...
Grabbing file http://http.us.debian.org/debian/README.mirrors.txt...
Update complete. Exiting.
[EMAIL PROTECTED]:/home/masami/hoge/apt-spy-3.1]$ gdb /usr/bin/apt-spy
GNU gdb 6.3-debian
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-linux"...Using host libthread_db
library "/lib/tls/libthread_db.so.1".

(gdb) directory .
Source directories searched: /home/masami/hoge/apt-spy-3.1:$cdir:$cwd
(gdb) r -d testing -o /tmp/test.out
Starting program: /usr/bin/apt-spy -d testing -o /tmp/test.out

Program received signal SIGSEGV, Segmentation fault.
0xb7edeece in mallopt () from /lib/tls/libc.so.6
(gdb) bt
#0  0xb7edeece in mallopt () from /lib/tls/libc.so.6
#1  0xb7edddcb in free () from /lib/tls/libc.so.6
#2  0x0804a15e in build_area_file (config_p=0x804dca0, infile_p=0x804db20,
    mirror_list=0x804d9b8, area=0x804c640 "ALL") at parse.c:103
#3  0x08049c35 in main (argc=0, argv=0xbffff7e8) at main.c:240
(gdb) frame 2
#2  0x0804a15e in build_area_file (config_p=0x804dca0, infile_p=0x804db20,
    mirror_list=0x804d9b8, area=0x804c640 "ALL") at parse.c:103
103                             free(inputline);
(gdb) list
98
99                      while ((inputline = get_mirrors(mirror_list)) !=
NULL) {
100
101                             /* We now write the line to the
temporary file */
102                             fputs(inputline, infile_p);
103                             free(inputline);
104
105                             if ((ferror(infile_p)) != 0) {  /* Check
for file error */
106                                     free(line);
107                                     return 1;
(gdb) p inputline
$1 = 0x80db8d8
"linux.sarang.net:/mirror/os/linux/distribution/debian/:/ftp/mirror/os/linux/distribution/debian/i386:\n"
(gdb) printf "%d\n", strlen(inputline)
102
(gdb)

inputline was allocated by get_mirrors().
(100bytes allocated)
but, inputline has 102 bytes character.
100bytes is not enough buffer size.

sorry my English is not enough.
thanks.
-- 
/*
 * Masami Ichikawa
 * mailto: [EMAIL PROTECTED]
 */


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]